Harden and Secure Your AWS EC2 Image - BASIC

MAxXMAxX
7 min read

Table of contents

So, let’s start with the first question: What is an EC2 image?

An EC2 Image, also known as an Amazon Machine Image (AMI), is a pre-configured template( Master copy or blueprint for your virtual server) used to launch Amazon EC2 (Elastic Compute Cloud) instances.

What is a Hardened Image in AWS EC2?

A Hardened Image is a pre-configured system image that’s secured as per the required standards from the organisation and used to launch secure Amazon EC2 (Elastic Compute Cloud) instances quickly -safe, fast, and compliantly

It includes:

  • Latest OS & software updates

  • Unused ports/services disabled

  • Strong SSH & firewall rules

  • Vulnerability patches applied

  • Only essential packages are installed

Process of basic hardening & must be done :

I am explaining with Amazon Linux, commands may vary for other operating systems

Step 1: Launch a Base EC2 Instance

⚠️ Must check your region

  1. Go to AWS Console → EC2 → Launch Instance

  2. Select Amazon Linux 2 AMI (HVM), SSD Volume Type

  3. Choose instance type (e.g., t2.micro)

  4. Configure network, storage, etc.

  5. Add a key pair (for SSH access)

  6. Launch the instance

Step 2: Connect via SSH

ssh -i your-key.pem ec2-user@your-public-ip

Step 3: Harden the OS

3.1 Update the system

sudo yum update -y

3.2 Disable unused services (if present)

# Check for active unnecessary services
systemctl list-unit-files | grep enabled

# Disable examples:
sudo systemctl disable postfix
sudo systemctl disable cups

3.3 Secure SSH

sudo vi /etc/ssh/sshd_config

Change or add these lines:

PermitRootLogin no
PasswordAuthentication no
ClientAliveInterval 300
LoginGraceTime 30

#Use protocol 2: Protocol 2

Then restart SSH:


sudo systemctl restart sshd

3.4 Set up firewall (optional, since AWS SG handles most)

sudo yum install firewalld -y
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

3.5 Install audit and logging tools

sudo yum install audit aide -y
sudo systemctl enable auditd
sudo systemctl start auditd

3.6 Install baseline security tools

⚠️ It's best to create your own package and use the tools provided by your organisation for security reasons. However, as a beginner training exercise, it's okay to learn the process.

  • Optional → Install Lynis for auditing (it’s an open-source tool )

  • ⚠️ Be cautious

    1. Limit Privileges:
      Run tools with the least privilege needed. Avoid unnecessary sudo unless the tool requires it (Lynis does need root for full system checks).

    2. Audit the Tool Itself:
      You can even run lynis In a sandboxed environment like a container or VM before using it on production systems.

    3. Check for tampering:
      Before running any script or binary:

      • Inspect the code if you're able.

      • Check the GitHub repo activity (last commit, open issues).

      • Look for a signed release or checksum (if provided).

sudo yum install git -y
git clone https://github.com/CISOfy/lynis
cd lynis
sudo ./lynis audit system

Step 4: Clean Up the Instance Before Creating AMI

# Remove shell history and SSH host keys
history -c
sudo rm -f /etc/ssh/ssh_host_*
sudo cloud-init clean

Step 5: Create a Hardened AMI

  1. Head over to the EC2 Console → Instances.

  2. Right-click on your instance and select Image → Create Image.

  3. Give it a name like amazon-linux2-hardened-v1.

  4. Add a description and any tags you need.

  5. Click on Create Image.

After a few minutes, you'll see your AMI listed under AMIs.

Step 6: Use the Hardened AMI

When you need a secure instance:

  • Launch a new EC2 instance using your hardened AMI.

  • Remember to apply updates regularly and create new versions of your hardened image.

Optional: Automate with EC2 Image Builder

To automatically rebuild AMIs with patches and hardening:

  • Go to EC2 → Image Builder.

  • Create a new pipeline.

  • Use Amazon Linux 2 as the base.

  • Add Components like YUM updates and hardening shell scripts.

  • Set up a build schedule.

But but but there is a twist.

After setting PermitRootLogin no, you can still become the root user using the

sudo su Command, which undermines our efforts.

So, what's the solution?

The solution is to:

  1. Disable sudo access for everyone.

  2. Grant access only to trusted users.

  3. Restrict unnecessary permissions.

Step 1: Check Who Has Sudo Access

Check the file

  1. sudo cat /etc/sudoers

  2. Alternatively, check this file:

    sudo cat /etc/sudoers.d/90-cloud-init-users

⚠️ Important Note:

  • Don't remove sudo access from your only admin user unless you have another user with root access.

  • If you get locked out, you’ll need to use EC2 rescue mode to fix it.

Edit the sudoers file safely:

  1. sudo visudo

  2. Look for a line like: ec2-user ALL=(ALL) NOPASSWD:ALL. Once you find it, comment it out with a # to remove access - ec2-user Is the user, ⚠️ check your user name before removing it using whoami

  3. To give access to any user, write in this format : ec2-user ALL=(ALL) NOPASSWD:ALL

Step 1: Allow sudo only for trusted users

If a user doesn’t need sudoRemove it: sudo gpasswd -d ec2-user wheel # Amazon Linux

Limit sudo to specific commands (if needed)

  1. sudo visudo

  2. Add a line like: ec2-user ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx - This allows devuser to only restart nginx — nothing else.

    Monitor and log all sudo usage

    Every time someone uses sudoIt's logged in:

    /var/log/secure # RHEL / Amazon Linux

    You can also set up alerts using

    • AWS CloudWatch logs

    • Fail2Ban

    • OSSEC/Wazuh

Use MFA + IAM + SSM (advanced but powerful)

  • Disable SSH altogether

  • Use AWS IAM + Systems Manager (SSM) to log in securely (no key/pem file)

  • Enable MFA (Multi-Factor Auth) for IAM users

Many modern companies use SSM to completely avoid giving SSH/sudo to developers

Summary: Can a hacker use sudo su?

ScenarioCan a Hacker Become Root?
ec2-user has full sudo✅ Yes
ec2-user has sudo for 1 command only❌ No
ec2-user has no sudo❌ No
Sudo requires a password (and they don’t know it)❌ No

🍜 You can with a script to do all

If the user is in the wheel or sudo group, remove them:

sudo gpasswd -d ec2-user wheel

or: ⚠️ BE CAREFULL

sudo usermod -G "" ec2-user  # Clears all groups (be careful!)

Step 3: Test if sudo su is Blocked

Now, switch to the user:

su - ec2-user
sudo su

Best Practice

ActionRecommendation
Disable root SSH loginPermitRootLogin no
Disable password loginUse key pair only ✅
Remove sudo from all usersOnly if you use IAM or SSM for admin 🔐
Use least-privilege accountsGrant sudo only to trusted admins

Also, if you restart the instance, you will see a WARNING.

Host Key Verification WARNING: Your EC2 instance host key has changed. Either someone is eavesdropping on you (man-in-the-middle attack) or your system administrator changed the host key. The fingerprint for the instance i-0379585793b65e726 is SHA256:M5dRrB+ihH2LUgTlAE1MRrkuy2mdQwXByBPHYznCuB0. Before connecting, contact your system administrator to verify if they changed the host key. Are you sure you want to continue connecting? (yes/no)

Don’t worry, just type yes. You're seeing this host key verification warning because the EC2 instance's identity has changed from what your system remembers, and this is a security feature built into SSH to prevent "man-in-the-middle" attacks.

What Does the Warning Mean?

SSH saves the identity (host key fingerprint) of every server you've connected to in a file called:

~/.ssh/known_hosts

If that fingerprint changes, SSH thinks:

  • The server might not be who it claims to be (possible attacker)

  • Or the server was rebuilt or replaced (like a new EC2 with the same IP)

Why This Happens in AWS

This warning is really common with EC2 because:

  • You might have terminated and recreated an instance using the same public IP or DNS

  • Or AWS might have auto-recycled the IP and assigned it to a new instance

So SSH is basically saying: "Hold on! This server used to have a different identity."

What You Can Do (If You Trust It's Yours)

Option 1: Remove the old key manually

  1. On your local machine, open a terminal and run:
ssh-keygen -R your-ec2-public-ip
#Example:

ssh-keygen -R 13.234.123.45

  • Then reconnect:

      ssh ec2-user@13.234.123.45
  # you will see - Are you sure you want to continue connecting (yes/no)?
  and type yes

    Option 2: (If unsure): Check the host key

    If you're worried about security:

    • Go to AWS Console → EC2 → Select your instance

    • Use EC2 Instance Connect (browser-based) to log in safely

    • Then from inside the instance,

    ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
1
Subscribe to my newsletter

Read articles from MAxX directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSSecurityCloudnetworkingLinuxamazon-linuxec2EC2 instancehardeningRoot User

Written by

MAxX
MAxX

Hi, I’m Sumon— a B.Tech student, curious software engineer, and part-time cloud adventurer ☁️. I love building things with the MERN stack, exploring AWS, and writing about what I learn so others can follow along. When I’m not coding, I’m probably riding my bike, capturing moments with my camera, or dreaming about sound design in a Pixar studio. This blog is where I share what I’m learning — from full-stack projects to securing EC2 instances and everything in between. Stick around if you like practical tech, honest mistakes, and small wins that lead to big things.